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SAP Connectivity 


e SAP is designed to be able to interact with many external systems. 
* This way you can integrate and centralize information under a unique 
architecture. 
e Communicating with other systems: 
e ALE 
* EDI 
e HTTP 
e RFC 
e FTP 
e XML 
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A Bit of History... 


e In the beginning, SAP implemented IBM's CPI-C interface to communicate 
with other systems. 

* CPI-C was developed to allow data transfer. 

e Complex applications needed to be able to call functions on other servers. 

* Result: SAP RFC (Remote Function Call) Interface. 

* Developed in the 1980s, based on CPI-C. 

* Today, the RFC Interface is a key component of the SAP Application Server. 
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e Fora to be remotely-callable, it must be flagged as "Remote- 
enabled module". 

* ABAP Programs can call a remote Function Module using the command CALL 
FUNCTION... 


CALL FUNCTION 'ZCUST GETMONEY' DESTINATION ‘PROD2’ 
EXPORTING 
ZCUST_ID = 100 
IMPORTING 
MONEY = cust_money 


TABLES 
TABINFO = table1 
EXCEPTIONS 
CUST_NOT_FOUND = 0 
TABLE_EMPTY = 1 
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RFC Between SAP Systems 


e The DESTINATION parameter informs that it is a remote call. 
eIn concrete, DESTINATION is a index key to a RFC Destinations table 
(RFCDES), maintained through transaction SM59. 
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RFC Between SAP and External Systems 


e Integration with legacy systems. 
* Client External Systems vs. Server External Systems. 
e Communication is done through the Gateway Server. 


Gateway Server 


Gateway 
Gateway Reader Gateway Monitor 
Work Process 


External Program Administration 
External Program 
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RFC Between SAP and External Systems 


e External RFC Client e External RFC Server 


Client ABAP ABAP 
Program Function Program 
Module 


Server Function 1 


Server Function 2 


result 
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External RFC Servers 


* Client doesn't need to supply logon information. 
e 2 Ways of "attaching" External RFC Servers: 
e Started Mode 
e Application Server starts them remotely on-demand. 
e Commonly via Remote Shell or Remote Exec (!) 
* External Server is closed after operation. 
* Registered Mode 
e External Server registers at the Gateway Server. 
* |dentified by a Program ID. 
* External Server is not closed. 


But ... How do you develop an external client / server ?? 
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The RFC Library 


“The RFC Library is the most commonly used and 


installed component of existing SAP software” 
SAP RFCSDK Guide 


* API released by SAP to allow development of external clients/servers. 
* Available for all SAP supported platforms. 

* Forward, backward and sideward compatible. 

e Thread safe. 

e An upper layer: JCo, .Net, VB. 

e Very good documentation. 

* Delivered with examples. 
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External RFC Server Internals 


e First of all, the server install available functions: 


RfcInstallFunction(RFC FUNCTIONNAME functionname, 
RFC ONCALL f ptr, 
rfc char t *docu); 


e Listen and dispatch requests with RfcDispatch() loop. 
e Requested function (f ptr) is executed. 
* Results are sent back to client. 
* Three default installed functions: 
e RFC DOCU 
e RFC PING 
e RFC SYSTEM INFO 15 
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Traffic Analysis 


e Information is sent in clear-text by default. 
* SAP provides SNC (Secure Network Communications) for encryption of traffic. 
e What can we get? 

* Logon information. 

* Called Function Name. 

* Parameters Information and Content. 

* Tables Information and Content (may be compressed). 

* Client and Server information. 
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.rfc server.0... 
.BCUSER 
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Traffic Analysis: Show me the Password! 


* You said that data is clear-text... but | can't see a single password! 
* Reason: Password is obfuscated. 


for each CHAR in CLEAR TEXT PASS 


OBFUSCATED PASS[i] = CHAR XOR kKeEY[i] 


KEY TO THE KINGDOM = [0x96, Oxde, 0x51, Ox1e, 0x74, Oxe, 
0x9, 0x9, 0x4, Oxib, Oxd9, 0x46, Ox3c, 0x35, Ox4d, Ox8e, 
0x55, Oxc5, Oxe5, Oxd4, Oxb, Oxa0, Oxdd, Oxd6, Oxf5, 
0x21, 0x32, Oxf, Oxe2, Oxcd, 0x68, Ox4f, Ox1a, 0x50, 
Ox8f, 0x75, 0x54, 0x86, Ox3a, Oxbb] 
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Function Analysis: RFC_DOCU 


* Retrieves documentation about installed functions on External Server. 

*|n concrete, it output strings defined in the rfc docu parameter of 
RfcinstallFunction() calls. 

* No need for valid logon data. 

* Available in External Systems. 


This function can be used to discover installed functions and their structure. 
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Function Analysis: RFC_PING 


* A RFC ping 

* Connects to the target system, analyzing its availability. 
* No need for valid logon data. 

* Available in External Systems and R/3. 


This function can be used to check for availability of remote RFC Server. 
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Function Analysis: RFC_SYSTEM_INFO 


e Obtain RFC server's system information. 
* No need for logon data! 
* Available in External Systems and R/3. 


What can we get? 
e SAP Kernel Version 
e Hostname 
e Timezone 
e Database Engine 
e Database Host 
e System ID 
* Operating System 
° 22 


Attacking the Giants: Exploiting SAP Internals 
Security Review of the RFC Interface... 


Some Other Functions 


Other functions are installed by default in every external RFC server. We have 
discovered security vulnerabilities in some of them: 


e RFC_TRUSTED_SYSTEM_SECURITY 


* RFC_SET_REG_SERVER_PROPERTY 


e RFC START GUI 
e SYSTEM CREATE INSTANCE 


* RFC START PROGRAM 


Any of this functions can be called, just as regular installed functions... 
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Function Analysis: RFC_TRUSTED_SYSTEM_SECURITY 


* Designed for internal use by SAP only. 
* Available in External Systems. 


Impact: 


This function can be used to check existence of users and groups in External 
system, its domain and trusted domains. 
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Function Analysis: REC SET REG SERVER PROPERTY 


* Enables the definition of properties of External Registered Servers. 
* Available in External Systems. 


Impact: 


Calling this function with a special parameter would render an External 
Registered Server unavailable to other clients (Denial of Service). 
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Function Analysis: RFC START GUI 


e Starts SAPGUI on FrontEnd systems. 
* Available in External Systems. 


Impact: 


Calling this function with a specially crafted parameter would result in the ability 
to run remote arbitrary commands over the External Server system. 
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Function Analysis: SYSTEM CREATE INSTANCE 


e Enables the creation of remote objects, where an object adapter is available. 
* Available in External Systems. 


Impact: 


Calling this function with a specially crafted parameter would result in the ability 
to run remote arbitrary commands over the External Server system. 
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Function Analysis: REC START PROGRAM 


e Enables the execution of operating system commands on External Servers. 
e Commands are restricted by the RfcAllowStartProgram() function: 


* No RfcAllowStartProgram() => Remote execution disabled 
e RfícAllowStartProgram("foo.exe") => Execution of "foo.exe" is authorized. 


¢ RfcAllowStartProgram(NULL) => All commands are authorized. 
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Function Analysis: RFC_START_PROGRAM (cont.) 


Impact: 
Calling the functions with specially crafted parameters would allow an attacker 
to: 
e Obtain information about configuration of the remote server. 
e Execute remote arbitrary commands, exploiting a buffer overflow 
vulnerability. 
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Function Analysis: RFC_START_PROGRAM (cont.) 


What happens if RfcAllowStartProgram(“dumbcommand.exe”)?? 


e Analysis of RfcAllowStartProgram() revealed that only the first N bytes of 
incoming command are verified, where N is the length of the allowed command. 


e You know an allowed command, you can execute another: 
“allowedCommand.exe\..\..\..\path\to\evil\command.exe” 


* According to SAP, external server developers should validate against this type 
of attacks... 
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RFCEXEC 


¢ Bundled with the RFCSDK. 
* Released as an example. 
* Not intended for productive use. 
e Installs the following functions: 
e RFC RAISE ERROR 
e RFC MAIL 
e RFC REMOTE PIPE 
e RFC REMOTE FILE 
e RFC REMOTE EXEC 


* Protected through rfcexec.sec file directives. 
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SAPXPG 


* Executable shipped with SAP R/3 Application Server. 
e Used for execution of external commands and programs. 
e Installs the following functions: 

e SAPXPG END XPG 

e SAPXPG START XPG LONG 

e SAPXPG START XPG 
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Advanced 
Attacks 


Attacking the Gic 


Attacks Setup 


e Scenario: 


RS 
P 


SAP R/3 


External RFC Server N 


e We need some information about current deployment. 
* How do we get it? 
* Network sniffing (RFC is clear-text!). 
e The Gateway Monitor. 
e Kidnapping an ABAP developer. (No step-by-step demonstration) 
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The Gateway Monitor 


e The Gateway Server has a configuration parameter for controlling Gateway 
Monitor access. 


gw/monitor 0 Monitor is disabled. 


gw/monitor 1 Local access only. 


gw/monitor 2 Remote access enabled. 


* Up to SAP Kernels 6.20, default value for this parameter is: 2 
e Remote access to the Gateway Monitor would provide any information needed 
for the attacks. 
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Evil Twin 


* Registration of External Servers can be done remotely. 
* ACL for registration process is implemented through the reginfo file. 
* By default, registration for everyone is allowed. (Registration Party!) 


* External Servers can register several times with the same Program ID. 
* ANY External Server can register with that ID! 


e Attack: 


1. Connect to licit Registered Server, ID=REG1 (blocking connections). 
2. Register External Server with ID=REG1. 
3. Drink some beer while watching calls arriving to our Evil Twin Server... 
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Evil Twin illustrated... 


External RFC 


SAP R/3 


- Anogk thebeamBEORhatsonveslcégedtéseewec6AApRsssGathwdha’ t 
BaPaR/aédaté&ág,contéotéed)gstabàilShméth.the same ID as the Mondo 
ertüéaenttpaskéonaánBBCteadithnühSeovegian$wBRF6 petveely. 
pr&áYénftübgrbimotnnesergasrequebBesRÉ6amsether wilénbe.attended 


by the evil one. 
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A Wiser (and Stealth) Evil Twin: MITM Attacks 


* Proof of Concept. 


* Attack: 
1. Connect to licit Registered Server, ID=REG1 (blocking connections). 
2. Register External Server with ID=REG1. 
3. Receive RFC call. 
4. Log/ Modify Parameters values. 
5. Use established connection with licit Registered Server to forward the 


(possible modified) RFC call. 
Get results and send them to the original client. 
Disconnect from the licit Registered Server. 
Back to Step 1. 
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SAP R/3 


- Sowgetbhageamgbemaamblouknagivatfdecuahedbobmehtowihh paéidy 


BaBdRÉalGBEBGUuSRCPaBdrtbgiSAPrRZ8sSéfvarthnühehea&ePIDa&ew&fge External RFC 
valid external server. Malicius Server 


- This time, every RFC call received is Logged/Modified, and 
forwarded to the valid external server. 


Attacking the R/3 with a Registered Server 


e RFC Interface allows client / servers to perform “callbacks”. 


Client Code 
Server 


Function 1 


Client 


Function 1 | 
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Attacking the R/3 with a Registered Server (cont.) 


e We can perform “callbacks” to R/3 systems. 

e The RFC Call is executed under the context of the original R/3 call. 
e Impact depends on authorizations of the R/3 user (SAP ALL?). 

* Attack: 


1. Connect to licit Registered Server, ID=REG1 (blocking connections). 
Start an Evil Twin. 

Receive RFC call. 

Perform RFC callback. 

If user has SAP ALL...Bingo! 


AE aah cred 
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SAP R/3 


- Hgaweehhbecthgeasanéhéochangbyebhhdseatmdctdoasttothhéemathd Exiamal REC 
BABeRáB8SeBRERgEBenu&dpCEDSesBPrRISedSérwethantlethB SAPtGatewayd Malicius Server 
external server, taken all new connections to the previous 

one, but now, we make a callback to the server. 
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sapyto 


e First public framework for performing SAP Penetration Tests. 

* Core dependencies: SAP RFC Library and saprfc module. 

e Plugin based. 

e Audit & Attack Plugins. 

e Shipped with plugins for testing RFC vulnerabilities, auditing SAP R/3 
configuration, etc.. 

* Developed in Python and C. 
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Available Plugins in Beta Version 


e Audit: 
* RFC Ping. 
* Registration of External Servers. 
* Detection of RFCEXEC. 
* Detection of SAPXPG. 
* Get system information. 
* Get server documentation. 
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Available Plugins in Beta Version (cont.) 


* Attack: 
e RFC START PROGRAM Directory Trasversal. 
e Run commands through RFCEXEC. 
e Run commands through SAPXPG. 
e StickShell. 
* Evil Twin Attack. 
* Get remote RFCShell. 
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sapyto Demonstration 
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Conclusions & Comments 


* The RFC Interface is a wide door into SAP Systems. It has to be locked! 

e SAP has responded quickly and provided solutions with SAP notes 1003908, 
1003910, 1004084, and 1005397. 

e SAP Administrators must apply patches. 

e SNC prevents credential and information sniffing. It is included in SAP systems 
and must be activated. 

e Network must be properly segmented. 

e Advanced attacks described can be avoided with proper configuration + 
patches. 
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Coming soon... 


e Attacking SAP clients. 

e SAP Backdoors. 

* ABAP Worms. 

* Exploiting Trusted Systems. 
e RFC Fuzzer. 


Stay tunned! 
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